The SSL/TLS certificates on my HPE (Hewlett Packard Enterprise) C7000 blade chassis expired this week and therefore required replacing. I’m a strong believer in always replacing certificates with valid ones generated by a certificate authority (CA). In my mind there isn’t much excuse in a business to not have an internal CA for this sort of thing. In this post I’ll cover the steps required to replace a certificate on the C7000 Onboard Administrator (OA). The replacement can be completed in a number of ways – I’ll demonstrate via the OA web interface and also provide an example for the command line method.
Replace via Web Interface
As you can see in the screenshot below the certificate has expired resulting in the red warning bar –
Once logged onto the active OA navigate to the Certificate Administration menu which can be found as follows – Enclosure Information –> Active Onboard Administrator –> Certificate Administration.
The initial page will display information about the current certificate. Clicking on the ‘Certificate Request’ tab will present us with a page where we can either generate a new self-signed certificate or create a certificate request (CSR – certificate signing request) which is then submitted to a certificate authority (CA) for processing. In this instance we want to create a new CSR for submission.
The next step is to populate the require fields along with any optional fields such as adding alternative names to the certificate, also known as Subject Alternative Names (SAN). If you connect to a system with an alias it’s important to add that to the certificate otherwise you will get a certificate error.
Once all the necessary information is populated click ‘Apply’ and the system will generate the CSR which takes the form of a base64 encoded request. The simplest thing is to copy all of this text into a text file for submission to the CA.
The next steps depend very much on what type of certificate authority you are using or submitting to so I will simply provide an example of submitting to a Microsoft CA running in my Active Directory domain. In this instance I’m leveraging the certreq command as below.
certreq -attrib "CertificateTemplate:BSA-WebServer"
Having selected the file I am asked which CA I want to submit the request to – this is because (in my case) I am in an Active Directory forest with many other organisations, each of which runs a CA. Obviously select the appropriate CA and all being well it will ask you to save the returned certificate.
Now that we have our certificate it’s time to upload to the blade chassis – open the file in a text editor and then paste into the ‘Certificate Upload’ window and click ‘Upload’. The OA will warn that this action replaces the existing certificate and will also reset the OA.
Having left the chassis for a minute or two for the OA to come back online I checked the connection and the webpage no longer presented an error.
OK now that we have completed the process via the web interface let’s quickly look at a command line example.
Replace via SSH
SSH to the OA and use the generate certificate request command. Note that if you already have existing date in the fields you can just hit ‘Enter’ assuming you are happy with it. Otherwise you will need to populate each field accordingly, the system will then present you with that data to review before finally providing the CSR text to be copied from the SSH session and submitted to a CA.
----------------------------------------------------------------------------- WARNING: This is a private system. Do not attempt to login unless you are an authorized user. Any authorized or unauthorized access and use may be moni- tored and can result in criminal or civil prosecution under applicable law. ----------------------------------------------------------------------------- Firmware Version: 4.50 Built: 07/24/2015 @ 04:06 OA Bay Number: 1 OA Role: Active HP BladeSystem Onboard Administrator (C) Copyright 2006-2015 Hewlett-Packard Development Company, L.P. Type 'HELP' to display a list of valid commands. Type 'HELP <command>' to display detailed information about a specific command. Type 'HELP HELP' to display more detailed information about the help system. BSA-SPC7K2-OA1> generate certificate request Enter certificate data for Onboard Administrator #1 Current values are displayed between the []. To remove the current value enter a single '.' character. OA Name (CN): [BSA-SPC7K2.ByteSizedAlex.com] Alternative Name: [DNS:BSA-SPC7K2,DNS:BSA-SPC7K2.ByteSizedAlex.com,DNS:10.135.36.150,IP:10.135.36.150] Organization (O): [ByteSizedAlex] City or Locality (L): [Preston] State or Province (S): [Lancashire] Country (C): [GB] Organizational Unit (OU) (optional): [IT Services] Contact Person (optional): [] Contact Email Address (optional): [[email protected]] Surname (optional): [] Given Name (optional): [] Initials (optional): [] DN Qualifier (optional): [] Challenge Password (optional): Confirm : Unstructured Name (optional): [] Please review the certificate data: OA Name (CN): BSA-SPC7K2.ByteSizedAlex.com Alternative Name: DNS:BSA-SPC7K2,DNS:BSA-SPC7K2.ByteSizedAlex.com,DNS:10.135.36.150,IP:10.135.36.150 Organization (O): ByteSizedAlex City or Locality (L): Preston State or Province (S): Lancashire Country (C): GB Organizational Unit (OU) (optional): IT Services Contact Person (optional): Contact Email Address (optional): [email protected] Surname (optional): Given Name (optional): Initials (optional): DN Qualifier (optional): Unstructured Name (optional): Do you want to make any changes? (y/n) n Certificate signing request for Onboard Administrator #1 -----BEGIN CERTIFICATE REQUEST----- MdcxKjAoBgNVBAMMIUxDVC1TUEM3IIDfTCCAmUCAQAwgSzIueGxhbmNhc2hpcmVj YXJlLm5ocy51azELMAkGA1UEBhMCR0IxEzARBgNVBAgMCkxhbmNhc2hpcmUxEDAO BgNVBAcMB1ByZXN0b24xLTArBgNVBAoMJExhbmNhc2hpcmUgQ2FyZSBOSFMgRm91 bmRhdGlvbiBUcnVzdDEUMBIGA1UECwwLSVQgU2VydmljZXMxMDAuBgkqhkiG9w0B CQEWIUlULkhlbHBkZXNrQGQoCggEBAJ8eYBOuw91SUlBODHgsYuLlgB1Du9uAKye fyWDosShgeLGtPYXJlLm5ocy51azCCASIwDQYJKoZIOLjDuCLWpIV2oTCHi/vPxh hvcNAQEBBQADggEPADCCAnitOT6D5h5PQFNhtpCJ9xhiiepck6smNhc2hpcmVjbP MVhM4YOWlP8un5nI7fnxrY+i2dqYLGkwmLA21xWBPb1t938g3XM4QRuJVvVykboJ Xi7J/K5RfwEMoIDPz7EasEjppsEXdBcAK2CCIt5t8/z05soum2w723aEowmM+apg MxQl7YFgCVR0VY/PaoANV+9xx18VtIMtLJtdZrgmjDpNmEyIYzhXqir1Rg96L/Xx dA/xORSW6hs+Tqt5/T1gCV9d6/LWLQpV+pwNrv/I8YJTC9KXIIkCAwEAAaBgMF4G wRIIKTENULVNQQzdLMoIhTENULVNQQzdLCSqGSIb3DQEJDjFRME8wTQYDVR0RBEY aGlyZWNhcmUubmhzLnVrgg0xMC4xMzUuMzYuMTUwhwQKhySWMA0GMi54bGFuY2Fz CSqGSIb3DQEBCwUAA4IBAQBST0QaPAESQBUCJODiLCsnYB4XU8wrYdQCZxo0MgyE 4WDZD2ImFMy6V5azKadzrGl8ZzJH0EN32C/1i9B8hLTUNTcGuLcjVL3ukXDIqcYY QLyFL5tpK7XJDeJnICkxDHk0wyLMhxd0mOMGeXHxLGaEGnw6rI/Yj4aORRln7kzK S86bWYx1FhycuShYRWRCOXmORWlsjrY3zyYpiJ3VfsQjPHuA0GjrOFFHhWWIQ+tW 89rydp9GR+vbQDJl64PJIM5N/6LyVJfsrwmrI33x4+n0pROCIAG4lDtIaOxIQ+Fr PP0UdcTkhoKEsodYTcyQMe+vBCmF2DF7O0fKkXr1I4n/ -----END CERTIFICATE REQUEST----- BSA-SPC7K2-OA1>
This is just a quick example of the command line method, of course one could script this and replace the certificates on multiple blade chassis however in my case I only had the one chassis in need of updating so the rest can wait till nearer their expiry.
If you have any questions or suggestions please feel free to drop a comment below – hopefully this has been useful.
in case the webpage not work (because certificate is expired) and SSH is not acctive, how can I update the certificate?
You can still access the web interface regardless of certificate expiration. Depending on your browser you simply need to accept the alert and continue to load the page. Once done you can logon and perform the replacement task. I am of course presuming that you are getting the certificate warning page and there isn’t some larger issue with your device.